14.11. FreeBSD Security Advisories

Contributed
by TomRhodes.

Like many producers of quality operating systems, the FreeBSD
Project has a security team which is responsible for
determining the End-of-Life (EoL) date for
each FreeBSD release and to provide security updates for supported
releases which have not yet reached their
EoL. More information about the FreeBSD
security team and the supported releases is available on the
FreeBSD security
page.

One task of the security team is to respond to reported
security vulnerabilities in the FreeBSD operating system. Once a
vulnerability is confirmed, the security team verifies the steps
necessary to fix the vulnerability and updates the source code
with the fix. It then publishes the details as a
“Security Advisory”. Security
advisories are published on the FreeBSD
website and mailed to the
freebsd-security-notifications, freebsd-security, and
freebsd-announce mailing lists.

Each security advisory is signed by the
PGP key of the Security Officer. The
public key for the Security Officer can be verified at
附錄 D, PGP Keys.

The name of the security advisory always begins with
FreeBSD-SA- (for FreeBSD Security
Advisory), followed by the year in two digit format
(14:), followed by the advisory number
for that year (04.), followed by the
name of the affected application or subsystem
(bind). The advisory shown here is the
fourth advisory for 2014 and it affects
BIND.

The Topic field summarizes the
vulnerability.

The Category refers to the
affected part of the system which may be one of
core, contrib, or
ports. The core
category means that the vulnerability affects a core
component of the FreeBSD operating system. The
contrib category means that the
vulnerability affects software included with FreeBSD,
such as BIND. The
ports category indicates that the
vulnerability affects software available through the Ports
Collection.

The Module field refers to the
component location. In this example, the
bind module is affected; therefore,
this vulnerability affects an application installed with
the operating system.

The Announced field reflects the
date the security advisory was published. This means
that the security team has verified that the problem
exists and that a patch has been committed to the FreeBSD
source code repository.

The Credits field gives credit to
the individual or organization who noticed the
vulnerability and reported it.

The Affects field explains which
releases of FreeBSD are affected by this
vulnerability.

The Corrected field indicates the
date, time, time offset, and releases that were
corrected. The section in parentheses shows each branch
for which the fix has been merged, and the version number
of the corresponding release from that branch. The
release identifier itself includes the version number
and, if appropriate, the patch level. The patch level is
the letter p followed by a number,
indicating the sequence number of the patch, allowing
users to track which patches have already been applied to
the system.

The CVE Name field lists the
advisory number, if one exists, in the public cve.mitre.org
security vulnerabilities database.

The Background field provides a
description of the affected module.

The Problem Description field
explains the vulnerability. This can include
information about the flawed code and how the utility
could be maliciously used.

The Impact field describes what
type of impact the problem could have on a system.

The Workaround field indicates if
a workaround is available to system administrators who
cannot immediately patch the system .

The Solution field provides the
instructions for patching the affected system. This is a
step by step tested and verified method for getting a
system patched and working securely.

The Correction Details field
displays each affected Subversion branch with the revision
number that contains the corrected code.

The References field offers sources
of additional information regarding the
vulnerability.